Identities correlation infrastructure for passive network monitoring

US 8,584,195 B2
Filed: 09/12/2007
Issued: 11/12/2013
Est. Priority Date: 11/08/2006
Status: Active Grant

First Claim

Patent Images

1. An identity enabled policy monitoring system, comprising:

a network monitor device for receiving network traffic from a network under observation;

an Identity Acquisition Manager (IAM), executing on a hardware processor communicatively connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic and enabling said network monitor to store an Internet Protocol (IP) address of the network traffic in a cache of IP addresses when the correlation analysis performed at the network monitor indicates that there is no identity associated with the IP address, the IAM further configured to determine current login information, the current login information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes the current login information to one or more remote network monitors, wherein the remote probing is performed over the network, and wherein probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;

an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and

a mechanism for connecting actively into the identity infrastructure of the network under observation to get information regarding identities and for passing said information regarding identities back to the IAM;

wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and

wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User names and user groups serve as the basis of a formal policy in a network. A passive monitor examines network traffic in near real time and indicates: which network traffic is flowing on the network as before; which users or user groups were logged into workstations initiating this network traffic; and which of this traffic conforms to the formal policy definition. In one embodiment of the invention, users and user groups are determined by querying Microsoft® Active Directory and Microsoft® Windows servers, to determine who is logged onto the Microsoft® network. Other sources of identity information are also possible. The identity information is then correlated with the network traffic, so that even traffic that does not bear on the Microsoft® networking scheme is still tagged with identity

227 Citations

27 Claims

1. An identity enabled policy monitoring system, comprising:
- a network monitor device for receiving network traffic from a network under observation;
  
  an Identity Acquisition Manager (IAM), executing on a hardware processor communicatively connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic and enabling said network monitor to store an Internet Protocol (IP) address of the network traffic in a cache of IP addresses when the correlation analysis performed at the network monitor indicates that there is no identity associated with the IP address, the IAM further configured to determine current login information, the current login information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes the current login information to one or more remote network monitors, wherein the remote probing is performed over the network, and wherein probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;
  
  an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and
  
  a mechanism for connecting actively into the identity infrastructure of the network under observation to get information regarding identities and for passing said information regarding identities back to the IAM;
  
  wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and
  
  wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.
- View Dependent Claims (2, 3)
- - 2. The identity enabled policy monitoring system of claim 1, wherein said mechanism for connecting actively comprises:
    - a distributed logon collector (DLC).
  - 3. The identity enabled policy monitoring system of claim 1, wherein an identity which served as a basis for authentication is carried forward during a session for purposes of policy enforcement.

4. A computer implemented distributed network monitoring method, the method comprising:
- providing a mapping from an Internet Protocol (IP) address to an identity;
  
  storing the IP address in a cache of IP addresses stored in a memory when the mapping indicates that there is no identity for the IP address;
  
  providing a formal policy definition based, at least in part, upon any of user names, authenticated computer names, user groups, and computer groups;
  
  examining network traffic, using a processor, in near real time with a passive network monitor to determine conformance with said formal policy definition; and
  
  providing an identity acquisition manager (IAM) module for determining which users are currently logged into computers on the network from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes current login information to one or more remote network monitors, wherein the remote probing is performed over a network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;
  
  said passive network monitor indicating which network traffic is flowing on the network, and at least one of;
  
  which users were logged into workstations initiating the network traffic, the identity of computers initiating said network traffic, to which groups said users and/or computers belong and where said users and/or computers have previously authenticated to a network authentication infrastructure;
  
  which of said authenticated computers is receiving the network traffic; and
  
  which of the network traffic conforms to the formal policy definition.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 5. The method of claim 4, wherein said network traffic comprises information about a flow of events within a small delay of the real time of those events, labeled with their actual time, such that the flow of events is equivalent to a real-time event flow.
  - 6. The method of claim 4, wherein the mapping from IP address to identities is determined by querying a network authentication system for logon events, and by referencing a network directory to map logon information to user, computer, and group information.
  - 7. The method of claim 6, wherein authenticated computer identities are also represented as special user accounts associated with authenticated computers on the network.
  - 8. The method of claim 7, further comprising:
    - performing multiple logon disambiguation when multiple user or computer logons are detected.
  - 9. The method of claim 4, further comprising:
    - providing at least one distributed logon collector (DLC) for performing queries into network identities sources under control of the IAM.
  - 10. The method of claim 4, further comprising:
    - providing an identity-enhanced policy development tool for allowing an operator to describe formal policies about network connections between machines when described by any of;
      
      machine IP address;
      
      authenticated computer identity;
      
      authenticated computer group identity;
      
      user identity;
      
      user group identity; and
      
      combinations of the above.
  - 11. The method of claim 10, further comprising:
    - providing an identity-enhanced policy engine for reading a policy from said identity enhanced policy development tool and for using said policy to annotate a near real time description of traffic with policy results.
  - 12. The method of claim 4, further comprising:
    - providing a report showing traffic from groups to select computers which represent critical business systems, said report comprising a matrix display with larger and smaller bubbles and including colors for policy.
  - 13. The method of claim 4, further comprising:
    - providing for multi-user computers where an IP address is associated with more than one concurrent directory user, and wherein multi-user computers are considered to have no individually identifiable users logged on and, thus, no user groups beyond those of which the computers themselves are members and an authenticated users built-in group; and
      
      flagging multi-user computers, wherein a so-specified machine is always considered as a multi-user computer regardless of the number of users that are logged on concurrently, to ensure that policy applied to multi-user computers is applied consistently and deterministically regardless of the number of users logged on at that computer at any point in time.
  - 14. The method of claim 4, further comprising:
    - ranking identity policy objects with respect to each other, as well as with respect to addressable network objects, to determine a relative priority of policy relationships and a network object'"'"'s effective policy.
  - 15. The method of claim 14, wherein said ranking of identity policy objects comprises in decreasing rank order:
    - a user object or a computer object;
      
      a group object representing a user group, a computer group, or a custom group;
      
      a built-in authenticated users group;
      
      a built-in authenticated computers group;
      
      a built-in anonymous group; and
      
      ranking identity policy objects higher than any addressable network object;
      
      wherein identity policy overrides host-based policy except for a prescriptive policy.
  - 16. The method of claim 4 further comprising:
    - filtering the selection of available policy relationships using a current mapping from IP address to identity.
  - 17. The method of claim 16, further comprising:
    - selecting a policy relationship based upon any of;
      
      whether said mapping has a single user identity, whether said mapping has multiple user identities, whether said mapping has a single authenticated computer identity, or whether said mapping has no identities.
  - 18. The method of claim 4, further comprising:
    - arranging identity policy objects in a containment hierarchy to determine how policy defined for an object that is a policy relationship target is inherited by other objects that it contains.
  - 19. The method of claim 4, further comprising:
    - delaying evaluation of network traffic from a particular IP address until such time as user-identities associated with source and destination IP addresses can be ascertained.
  - 20. The method of claim 4, further comprising either of:
    - saving network event information offline in a file;
      
      orcapturing a sequence of packets from traffic data in the file; and
      
      further comprising;
      
      evaluating policy on data in said file offline; and
      
      processing identities offline.
  - 21. The method of claim 4, further comprising:
    - computing effective policy relationships for any given network object by;
      
      determining a relative ranking of a relationships'"'"' services;
      
      wherein said ranking is based on said services'"'"' transport layer specifications;
      
      for relationships that have identically ranked services, determining a ranking of said relationships'"'"' targets; and
      
      for relationships that have identically ranked targets, determine a ranking of the relationships'"'"' initiators;
      
      wherein a relationship with a higher ranking overrides a relationship with a lower ranking.
  - 22. The method of claim 4, further comprising:
    - binding identity policy objects to zero, one, or more addressable network objects;
      
      wherein an addressable network object or host comprises, directly or indirectly, an IP address space; and
      
      wherein if an identity policy object does not specify a host binding, the identity policy object is implicitly bound to an entire identity address space.
  - 23. The method of claim 22, further comprising:
    - determining a relative ranking of two bound and otherwise identical identity objects;
      
      wherein said ranking is determined by the relative ranking of the addressable network objects to which they are bound.

24. A method comprising:
- monitoring, in an identity acquisition manager, login state information of users logged into a network under observation, the login state information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the remote probing is performed over the network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;
  
  receiving, in a passive network monitor, the login state information;
  
  generating a local copy of the received login state information at the passive network monitor;
  
  mapping, in accordance with the local copy of the login state information, an Internet Protocol (IP) address of the network under observation to an identity, wherein mapping an IP address of the network under observation includes storing the IP address in a cache of IP addresses stored in a memory when the mapping indicates that there is no identity associated with the IP address; and
  
  examining network traffic, using a processor, in near real time with a passive network monitor to determine conformance with said formal policy definition, wherein conformance is based on the IP address mapping, and wherein the formal policy definition is based upon one or more of user names, authenticated computer names, user groups, and computer groups.
- View Dependent Claims (25, 26)
- - 25. The method according to claim 24, further comprising requesting updated login state information from the identity acquisition manager.
  - 26. The method according to claim 24, wherein monitoring includes periodically transmitting updated login state information to the passive network monitor, and wherein generating includes updating the local copy of the login state information in accordance with the updated login state information.

27. A system comprising:
- an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon one or more of user identity, authenticated computer identity, group identity, and IP address;
  
  a network monitor device; and
  
  an identity acquisition manager (IAM), executing on a hardware processor communicatively connected to said network monitor, to;
  
  determine which users are logged into a network under observation;
  
  determine a current login state of the users using login state information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the remote probing is performed over the network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;
  
  store the current login state as logon data; and
  
  periodically transmit the logon data to the network monitor;
  
  wherein the network monitor;
  
  stores a local copy of the logon data received from the IAM;
  
  updates the local copy of the data when updates of the logon data are received from the IAM;
  
  receives network traffic from the network under observation;
  
  performs a correlation analysis of user identities in the logon data and the network traffic to infer which users and user groups are responsible for generating the network traffic;
  
  stores an Internet Protocol (IP)address of the network traffic in a cache of IP addresses when the correlation analysis indicates that there is no identity associated with the IP address; and
  
  applies the identity-enhanced policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sherlock, Kieran Gerard, Cooper, Geoffrey Howard, Guzik, John Richard, Pearcy, Derek Patton, Valente, Luis Filipe Pereira
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/854,392
Publication Number

US 20080109870A1
Time in Patent Office

2,253 Days
Field of Search

726 1- 6
US Class Current

726/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1425 Traffic logging, e.g. anoma...

Identities correlation infrastructure for passive network monitoring

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

227 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Identities correlation infrastructure for passive network monitoring

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links